Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1763
Views
0
Helpful
2
Replies

PKI certificates with wrong end date

Go to solution
mario.jost
Level 3
Level 3

‎04-04-2018 01:04 AM - edited ‎03-12-2019 05:10 AM

Dear community

I have the same problem as written in these two posts:
https://supportforums.cisco.com/t5/unified-communications/wrong-end-date-in-ios-15-3-and-15-5/td-p/2854362

https://supportforums.cisco.com/t5/wan-routing-and-switching/certifcate-end-date-on-router-is-wrong/td-p/2538441

 

Problem with writing in posts that are old is, noone ever is reading these things again. So thats why i create a new topic with this one.

If we import the certificate of our root CA in base64, it has a wrong end date. I use the exact same commands to import the CA certificate on two different IOS routers.

Cisco ISR 4451 with IOS XE 16.5.1b

 

roRZ201#show crypto pki certificates MERBAGCA
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 17327860BB10B0894D6A09FFB712D1F7
  Certificate Usage: Signature
  Issuer: 
    cn=MERBAG Root Certificate Authority
    ou=IT
    o=MERBAG
    c=CH
  Subject: 
    cn=MERBAG Root Certificate Authority
    ou=IT
    o=MERBAG
    c=CH
  Validity Date: 
    start date: 09:49:23 CET Mar 8 2018
    end   date: 09:59:21 CET Mar 8 2038
  Associated Trustpoints: MERBAGCA 
  Storage: nvram:MERBAGRootCe#C1F7CA.cer

Cisco 897VA with IOS 15.6(2)T1

 

roTST01#show crypto pki certificates MERBAGCA
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 17327860BB10B0894D6A09FFB712D1F7
  Certificate Usage: Signature
  Issuer: 
    cn=MERBAG Root Certificate Authority
    ou=IT
    o=MERBAG
    c=CH
  Subject: 
    cn=MERBAG Root Certificate Authority
    ou=IT
    o=MERBAG
    c=CH
  Validity Date: 
    start date: 09:49:23 CET Mar 8 2018
    end   date: 03:31:05 CET Jan 31 1902
  Associated Trustpoints: MERBAGCA

Both routers sync their time with the same NTP server and are in synchronized state. No that this would have anything to do with this, but just in case someone wants to bring that question up.

 

I suspect that this has something to do with the UNIX timestamp. The latest possible date & time for the 32bit based stamp is the 19th of January 2038 at 03:14:08 (UTC). So one of the cases mentioned above, has the end date for their CA certificate after that date as well. For the other case, i cannot say because the post never mentions the correct end date. IOS XE could, being completely rewritten, use another algorithm (maybe in 64bit) to count beyond that date.

 

Any help is much appreciated.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mario.jost
Level 3
Level 3
In response to mario.jost

‎04-04-2018 05:16 AM - edited ‎04-04-2018 05:16 AM

After upgrading to one of the fixed IOS versions (15.7(3)M1), the end date is displayed correctly without re-importing the certificate:

roTST01#show crypto pki certificates MERBAGCA
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 17327860BB10B0894D6A09FFB712D1F7
  Certificate Usage: Signature
  Issuer: 
    cn=MERBAG Root Certificate Authority
    ou=IT
    o=MERBAG
    c=CH
  Subject: 
    cn=MERBAG Root Certificate Authority
    ou=IT
    o=MERBAG
    c=CH
  Validity Date: 
    start date: 09:49:23 CET Mar 8 2018
    end   date: 09:59:21 CET Mar 8 2038
  Associated Trustpoints: MERBAGCA 
  Storage: nvram:MERBAGRootCe#C1F7CA.cer

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mario.jost
Level 3
Level 3

‎04-04-2018 01:46 AM

This bug describes the issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsl95969/?rfs=iqvred

 

I am gonna install one of the fixed releases and report back.

0 Helpful

Go to solution
mario.jost
Level 3
Level 3
In response to mario.jost

‎04-04-2018 05:16 AM - edited ‎04-04-2018 05:16 AM

After upgrading to one of the fixed IOS versions (15.7(3)M1), the end date is displayed correctly without re-importing the certificate:

roTST01#show crypto pki certificates MERBAGCA
CA Certificate
  Status: Available
  Certificate Serial Number (hex): 17327860BB10B0894D6A09FFB712D1F7
  Certificate Usage: Signature
  Issuer: 
    cn=MERBAG Root Certificate Authority
    ou=IT
    o=MERBAG
    c=CH
  Subject: 
    cn=MERBAG Root Certificate Authority
    ou=IT
    o=MERBAG
    c=CH
  Validity Date: 
    start date: 09:49:23 CET Mar 8 2018
    end   date: 09:59:21 CET Mar 8 2038
  Associated Trustpoints: MERBAGCA 
  Storage: nvram:MERBAGRootCe#C1F7CA.cer

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents